Generic.Detection.Yara.SSH :: Velociraptor

Generic.Detection.Yara.SSH

This is a server artifact that enables running Generic.Detection.Yara.Glob over ssh.

This artifact can be used to run against a single server or against a list of servers via notebook foreach.

Keys are passed as path on disk to preserve potential key leakage. You can also modify the artifact to allow server_metadata to be passed.


name: Generic.Detection.Yara.SSH
author: Matt Green - @mgreen27
description: |
  This is a server artifact that enables running Generic.Detection.Yara.Glob 
  over ssh.
  
  This artifact can be used to run against a single server or against a list of 
  servers via notebook foreach.
  
  Keys are passed as path on disk to preserve potential key leakage. You can also 
  modify the artifact to allow server_metadata to be passed.


type: SERVER
parameters:
  - name: TargetHost
    description: Target SSH host in the format <hostname or IP>:<port>
  - name: TargetUsername
    description: SSH Username to connect - e.g ubuntu
  - name: TargetKey
    description: SSH key path as Velociraptor server metadata or path on disk.
  - name: PathGlob
    description: Only file names that match this glob will be scanned.
    default: /usr/bin/ls
  - name: SizeMax
    description: maximum size of target file.
    type: int64
  - name: SizeMin
    description: minimum size of target file.
    type: int64
  - name: UploadHits
    type: bool
  - name: DateAfter
    type: timestamp
    description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
  - name: DateBefore
    type: timestamp
    description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
  - name: YaraRule
    type: yara
    description: Final Yara option and the default if no other options provided.
    default: |
        rule IsELF:TestRule {
           meta:
              author = "the internet"
              date = "2021-05-03"
              description = "A simple ELF rule to test yara features"
          condition:
             uint32(0) == 0x464c457f
        }
  - name: NumberOfHits
    description: This artifact will stop by default at one hit. This setting allows additional hits
    default: 1
    type: int
  - name: ContextBytes
    description: Include this amount of bytes around hit as context.
    default: 0
    type: int

sources:
  - query: |
      LET SSH_CONFIG <= dict(
            hostname= TargetHost,
            username= TargetUsername,
            private_key= read_file(filename=TargetKey)
        )

      LET _ <= remap(config='''
        remappings:
          - type: mount
            from:
             accessor: ssh
            on:
             accessor: auto
        ''')

      SELECT * FROM Artifact.Generic.Detection.Yara.Glob(
                PathGlob=PathGlob,
                YaraRule=YaraRule,
                NumberOfHits=NumberOfHits,
                ContextBytes=ContextBytes,
                SizeMax=SizeMax,
                SizeMin=SizeMin,
                UploadHits=UploadHits,
                DateAfter=DateAfter,
                DateBefore=DateBefore
            )

column_types:
  - name: HitContext
    type: preview_upload